Re: possible ORG problems, maybe?

[Daniel Karrenberg <daniel.karrenberg () ripe net>]

On 17.10 09:47, Randy Bush wrote:
> but one has little assurance that the response is from the same
> server as the one from which one had the dns response one is debugging.

That is true.  However this only matters if the operator of the server
allows them to be inconsistent *and* routing so volatile that queries
are routed to different instances over short periods of time.

In my opinion the increased DDoS resilience alone outweighs this
drawback.  In addition the service quality can be increased as the
number of places at which the service can be provided is independent of
the number of server addresses available due to DNS protocol
limitations.

Hard data:

We probe DNS servers from 60+ points across the internet once a minute
on average.  We log the id.server or hostname.bind value they return.

I have not completed the colour picture version of analysing this part
of the data but here is a quick perl script version:

For the period from 0000UTC to 2359UTC yesterday 60 out of 63 probes (95+%) got
*all* of their 1400+ answers from the *same instance* of k.root-servers.net.
The three probes that talked to different instances showed 1, 2 and 4
change events respectively.  I consider this stable enough for debugging
purposes.

Data for f.root-servers.net shows a similar picture.

Both data files are attached.

We will provide this data in full colour form at dnsmon.ripe.net sometime
in the coming weeks.

Daniel

Attachment: dfk-k
Description:

Attachment: dfk-f
Description: